Wednesday 19 October 2011

LoadDLLViaAppInit 64-bit

Many of my security tools are DLLs. If you want to use these tools inside a 64-bit process, you’re stuck, because you can’t use 32-bit DLLs inside a 64-bit process (and vice versa).

LoadDLLViaAppInit is a tool I released to load DLLs inside selected processes. If you want to use this 32-bit version of LoadDLLViaAppInit on a 64-bit Windows machine, you need to configure AppInit_DLLs in this registry key:

This 64-bit version has only been tested on 64-bit Windows, not on 64-bit XP neither on 64-bit Windows Server. I expect it to work on these systems too, but you need to test first. I’ve also compiled this 64-bit version with Visual Studio 2010 and an option to include the runtime Visual C++ libraries inside the DLL, so you don’t need to install the Microsoft Visual C++ 2010 Redistributable Package. But this option has a drawback: when Microsoft releases a patch for the libraries, I (or you) will have the recompile the DLL with the new version of the libraries.

What I mean is the following: I’ve compiled this with the /MT flag, which makes that the linker includes the C++ runtime in the DLL.
The advantage is that it will run on all x64 systems.
The drawback is the following: say that a vulnerability is found in the runtime, and that Microsoft releases a patch for the runtime. Applying this patch on your system will not remove the vulnerability in the runtime inside LoadDLLViaAppInit64.dll. The only way to remove this vulnerability is to apply the patch for Visual Studio, and then recompile.